Wikileaks, IT pro not ‘in any danger’ in Coleman leak, lawyer says

From WikiLeaks

Hacker. Unprofessional. Immoral. A “black hat” villain. For her role in finding Norm Coleman’s unsecured donor database in January, IT consultant Adria Richards has been the target of anger from Coleman supporters, including some who had their personal information revealed in the Web site breach. She received a phone call on Friday from one such man. The caller was irate, offering the vague threat, “I live less than a mile away from you!” She later calmed him down.

Despite the vitriol aimed her way, what Richards did wasn’t illegal, nor were the actions of the Web site Wikileaks.org, which received the database and shared its contents with the world — at least not if similar cases and the word of a top digital-rights lawyer, are any indicator.

Jennifer Granick is the civil liberties director for the Electronic Frontier Foundation (EFF), the country’s leading digital-rights advocacy group. She immediately dismissed the term “hacker” to describe anyone — whether Richards, who spotted and shared info about the unprotected database, or Wikileaks.org — in this case.

“It’s not a term I use,” she said. “It’s not a legal term and it doesn’t answer the question whether it’s unlawful.”

She looks to the federal law, particularly the Computer Fraud and Abuse Act, which deals with accessing sensitive data by unauthorized individuals for the purpose of defrauding others, aiding in criminal activity or causing damage to the contents of a “protected computer.”

Based on her knowledge of this case, as well as the law, Granick said it was legal for Richards to view the Web directory on which Coleman’s donor list resided.

“There has to be some kind of indication that information is locked away,” she said.

For comparison, she offered a similar story of politics and unprotected online information. In the 2006 gubernatorial election in California, aides to Democratic candidate Phil Angelides found personal audio files on Gov. Arnold Schwarzenegger’s Web site through “backward browsing”–shortening the URL for a page of the governor’s speeches to find a directory of files. The captured conversations, from a speech-writing session, included Schwarzenegger opining about a Latina city official’s “hot” temperament: “I mean, they [Cubans and Puerto Ricans] are all very hot…they have the, you know, part of the black blood in them and part of the Latino blood in them and together that makes it.”

Like Coleman’s donor list up until late on Jan. 28, the Schwarzenegger files were on an open directory: Users seeking to download the files were not asked to enter a password.

The California governor asked the California Highway Patrol (CHP), the agency in charge of protecting state property, to investigate the case. After a four-month study, they chose not to file charges, finding that Angelides’ staffers broke no law in downloading the audio files, and advised the governor’s office to improve the “overall security of their computer network.”

Civil courts have interpreted the Computer Fraud and Abuse Act in differing ways, though, said Granick. Some cases have tried to argue that the intent of the Web site’s creator should be considered. In Coleman’s case, the database’s listing of supporters’ credit card numbers and three-digit security codes could suggest that the site operator intended this information to be protected.

“But without any indication of any kind of blocking of information, it’s hard for a user to know what the owner wants,” Granick said. “The statute is really designed to protect the integrity of a computer system, not to protect the desires” of the site’s owner.

While Richards only pointed out that the security breach existed, Wikileaks.org published some of the database’s contents.

“I don’t think Wikileaks is in any danger here,” said Granick. “I’m not aware of something that prevents you from publishing information that you obtained legally as long as that publication isn’t part of a conspiracy or attempt at identity theft or crime.”

Regardless of how Wikileaks obtained the database — as long as the site was an “innocent receiver” of the information and didn’t solicit the data — there’s legal precedent protecting it. Granick said it’s part of a “long journalistic tradition,” including, most notably, the Supreme Court case ruling on the Pentagon Papers, a classified report on 20 years of U.S. political and military actions in Vietnam that was leaked in 1971.

“The law could not stop The New York Times from publishing it. And that’s national security information,” said Granick. “Wikileaks benefits from that tradition… Once it’s out, we let history decide if it’s better kept secret or not.”

“American law tries to be extremely narrow about what speech we prohibit,” she added. “It’s dangerous to punish the republication of information, especially if the publisher obtained the information legally. Even if you have info that was taken improperly, it may be of public concern.”

Some have questioned Richards’ motives as well as those of others who’ve reported on this story. Bob Collins at Minnesota Public Radio, for instance, questioned the ethics of crunching the numbers obtained from the Wikileaked spreadsheets. Before raising the topic with Smart Politics’ Eric Ostermeier, who looked at where Coleman’s funders live and what they do, he pondered whether there’s a “compelling public interest” in Wikileaks’ releasing partial information from the database.

Granick pondered these questions.

“It’s a really serious privacy concern… because many people perhaps contributed to the campaign anonymously or confidentially. That’s protected political speech. The First Amendment has long supported the right to this kind of speech,” she said. “But if the information’s up there and it’s published, people are going to want to check it and see if they’re in the database… There’s a legitimate reason for people to want to look at it.”

First seen in the Minnesota Independent. Thanks to Paul Schmelzer and the Minnesota Independent for covering this document. Copyright remains with the aforementioned.